Back to skill
Skillv1.0.0
ClawScan security
AI RecSys Weekly Report · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 19, 2026, 8:56 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and credential requirements are consistent with its stated purpose (generate a weekly AI recommendation/search/ad report and upload it to Tencent IMA).
- Guidance
- This skill appears internally consistent for generating reports and syncing them into Tencent IMA, but do these checks before installing: - Only install if you trust the ima-skills provider (cos-upload.cjs) because the Python wrapper executes that Node script with upload credentials. - Verify the cos-upload.cjs script content (from ima-skills) so it doesn't leak or mishandle credentials. - Store IMA client_id and api_key in a secure location and limit their privileges in IMA if possible; the skill expects them in ~/.config/ima. - Be aware the script prints subprocess stdout/stderr; run a test with a non-sensitive sandbox KB to confirm no secrets are logged. - If you plan automated weekly runs, ensure the WorkBuddy account and target KB have appropriate access controls and rotate API keys as part of your normal security hygiene.
Review Dimensions
- Purpose & Capability
- okThe skill generates research reports and uploads them to IMA; it includes a helper upload script and explicitly depends on an IMA-related skill. Requested artifacts (IMA client_id/api_key stored in ~/.config/ima) and the included upload script are coherent with the described upload capability.
- Instruction Scope
- noteRuntime instructions are focused on web search (ArXiv, Chinese tech blogs) and report assembly, then uploading to IMA. The skill reads IMA credentials from ~/.config/ima and uses a bundled Python wrapper to call IMA APIs and an external cos-upload.cjs script; these behaviors match the upload task. Note: the process runs an external Node script (cos-upload.cjs) supplied by the dependent ima-skills; ensure that script is trusted.
- Install Mechanism
- okThere is no remote install/download step in the skill bundle (instruction-only plus a local Python script). No third-party URLs or archive extracts are included in the skill itself, so installation risk is low. The skill does require the separate ima-skills component to supply cos-upload.cjs.
- Credentials
- noteOnly IMA credentials (client_id and api_key stored under ~/.config/ima) are required, which is proportionate to uploading to IMA. Minor concern: the upload wrapper logs subprocess stdout/stderr which might leak transient COS credentials if the underlying cos-upload.cjs prints them; review cos-upload.cjs and consider running in a controlled environment to avoid accidental credential exposure.
- Persistence & Privilege
- okThe skill does not request permanent or system-wide presence (always:false). It does not modify other skills or agent global settings in the provided files.